Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Advertisement. Show all posts

Google Ads Glitch Exposes Sensitive Competitor Data, Causes Reporting Disruption

 

A significant glitch in Google Ads recently disrupted advertisers’ access to critical performance data and inadvertently exposed sensitive competitor information, raising concerns about data security and potential unfair business practices. The issue, which began on July 30, 2024, led to the temporary unavailability of key reporting tools and product management features, complicating campaign management for businesses. 

The main issue with the glitch was the accidental exposure of sensitive competitor information. Between July 30 and July 31, 2024, a small number of advertisers could view unrelated item IDs, product titles, and Merchant Center information from other accounts. This breach allowed advertisers to identify direct competitors by searching through the exposed product titles, raising significant privacy and competitive fairness concerns. Furthermore, the Products, Product Groups, and Listing Groups pages were down across the web interface, API, and Google Ads Editor. This outage prevented advertisers from accessing essential performance data, including insights into competitors’ products and advertising strategies. 

Although the exposed data did not include personal information, it provided valuable insights into competitors’ advertising methods, potentially giving some advertisers an unfair advantage. This incident underscored severe issues regarding data security and the possibility of unethical business practices. Google acknowledged the problem and is actively working to resolve it. Ginny Marvin, a Google Ads liaison, mentioned on X (formerly Twitter) that the team is “actively looking into” the issue and will provide updates as more information becomes available. 

However, the company has not provided detailed information about the cause of the glitch or the number of affected users. In response to this incident, some advertising agencies have started encrypting sensitive information within client accounts to prevent future breaches. As of August 4, 2024, Google reported via its dashboard and product liaison handle on X that while some accounts might still be impacted, services have been fully restored to other accounts. For accounts not affected by this issue, all reporting services have been restored.  

Google has assured users that it is continuing efforts to restore reporting services for the Report Editor and the Products tab for affected accounts. They promised to provide further updates as more information becomes available and to reach out directly to all impacted customers with details on the incident. Advertisers are advised to be cautious when accessing their Google Ads accounts and to avoid acting on any data until Google confirms that the issue is fully resolved. The ongoing efforts by Google to restore all reports online are a positive step towards re-establishing data security and confidence in the platform.

HUMAN Team Shuts Down Major Mobile Ad Fraud Scheme

 


In a major development, the HUMAN Satori Threat Intelligence and Research Team has successfully dismantled a vast mobile advertising fraud operation known as "Konfety." This scheme, which generated billions of fake ad requests each day, was designed to deceive both users and advertisers on a large scale.

The Konfety scammers used a mobile advertising tool called CaramelAds to carry out their scheme. They created numerous fake apps, which appeared to be ordinary games on the Google Play Store. These apps were actually just a front for the fraud. The core of the scam involved "evil twin" apps—modified versions of CaramelAds that did not follow privacy regulations and were used to show fraudulent ads.

The fraudulent apps were designed to mimic genuine user activity. They displayed unwanted ads, opened websites without user consent, and used various tactics to create the illusion of legitimate traffic. This allowed the scammers to profit from fake ad views and clicks, deceiving both users and advertisers.

Upon discovering the fraud, the HUMAN team quickly implemented measures to block the fraudulent traffic. They flagged suspicious activity and worked with ad networks to stop the scam. In response, the fraudsters tried to shift their operations to other networks not protected by HUMAN, but their efforts were largely thwarted by HUMAN’s protective measures.

Google Play Protect was crucial in identifying and removing the fraudulent apps. Despite its efforts, the scale of the Konfety scheme highlighted the ongoing challenge of preventing such sophisticated scams. Google continues to monitor and protect users from these threats.

HUMAN’s team developed specific detection techniques for the Konfety scam and shared their findings with other security experts. This collaboration led to a significant reduction in fraudulent ad requests and enhanced overall security in digital advertising.

The successful shutdown of the Konfety fraud needs a heedful of vigilance and cooperation in the fight against online scams. HUMAN’s ongoing efforts to safeguard the integrity of digital advertising are essential as cybercriminals continue to evolve their tactics. This case highlights the need for constant vigilance and industry collaboration to maintain a secure online environment.




A Nearly $400 Million Fine Has Been Imposed on Google by the States

 

In a settlement over Google's location tracking practices, Google will have to pay close to $400 million to over 40 states. This is part of a $2.6 billion settlement to settle the matter as announced on Monday. 

Attorney General Rosenblum led an investigation into the multinational technology company that has its headquarters in Mountain View, California, along with Nebraska Attorney General Doug Peterson. According to the Oregon Attorney General's office, this is the largest consumer privacy settlement ever brought by an attorney general. 

In 2018, Rosenblum and other attorneys general started a bipartisan investigation into the company's practices based on an article published by the Associated Press. They found that Google had created confusing settings for consumers since at least 2014, and had been violating state consumer protection laws as a result. 

Rosenblum's office explained how the public was misled. According to the settlement agreement, Google misled its users into believing that they had turned off location tracking in their account settings. In fact, Google continued to collect their location information as indicated in the settlement. Further, in conjunction with the multimillion-dollar settlement, Google has agreed in the negotiations with the AGs to improve its user controls and disclosures about location tracking by 2023. 

To make sure users receive targeted advertisements, Google uses location data, as well as other types of personal information. In the view of Rosenblum's office, users' location data is among the most sensitive pieces of information that are collected by the company. This is because it is part of its attempt to create detailed profiles of them which can further be used in order to completely reveal the identity and routines of a person. 

In Rosenblum's view, "Google has prioritized profit over the privacy of its users for years. There has been a lot of deception and craftiness on their part. The company has been secretly recording the movements of consumers throughout the day and using that information for advertising purposes in spite of the fact that they thought they had turned off location tracking on Google." 

Besides paying $391.5 million, Google has also been ordered to make key information about location tracking unavoidable for users (not hidden). Google is now required to give users detailed information on a page titled “Location Technologies” about the types of location data it collects and how it is used. 

In addition to Arkansas, Florida, Illinois, Louisiana, New Jersey, North Carolina, Pennsylvania, and Tennessee, there were many other states that were part of the settlement. 

Among the states that have joined this settlement are Alabama, Alaska, Colorado, Connecticut, Delaware, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nevada, New Mexico, New York, North Dakota, Ohio, Oklahoma, South Carolina, South Dakota, Utah, Vermont, Virginia, and Wisconsin. 

"Consumer privacy is one of my office’s top priorities. That’s why it’s so significant to me that Oregon played a key role in this settlement," Rosenblum further stated. "Until we have comprehensive privacy laws, companies will continue to compile large amounts of our personal data for marketing purposes with few controls."

Scylla: Ad Fraud Scheme in 85 Apps with 13 Million Downloads

 

Security researchers have exposed 85 apps involved in the ongoing ad frauds campaign that began in 2019. 75 apps of these apps are on Google Play, while 10 are present on the App store. The apps have collectively more than 13 million downloads to date. 
 
Researchers from HUMAN’s Satori Threat Intelligence have collectively named all the mobile apps that are being identified in the ad fraud campaign as ‘Scylla’.  
 
The malicious apps flooded the mobiles with advertisements, both visible and hidden ads. Additionally, the fraudulent apps garnered revenue by impersonating as legitimate apps in app stores. Although these apps are not seen as severe threats to the users, the adware operators can use them for more malicious activities.  
 
According to the researchers, Scylla is believed to be the third wave of an ad fraud campaign that came to light in August 2019, termed ‘Poseidon’. The second wave, called ‘Charybdis’ led up to the end of 2020. 

The original operation, Poseidon comprised over 40 fraudulent android apps, designed to display out-of-context ads or even ads hidden from the view of mobile users. 
 
The second wave, Charybdis, was a more sophisticated version of Poseidon, targeting advertising platforms via code obfuscation tactics. Scylla apps, on the other hand, expand beyond Android, to charge against the iOS ecosystem. In addition to this, Scylla relies on additional layers of code obfuscation, using Allatori Java obfuscator, making it hard for the researchers to detect or reverse engineer the adware. 
 
These fraudulent apps are engineered to commit numerous kinds of ad frauds, including mimicking popular apps (such as streaming services) to trick advertising SDKs into placing their ads, displaying out-of-context and hidden ads, generating clicks from the unaware users, and generating profit off ads to the operator. 
 
"In layman's terms, the threat actors code their apps to pretend to be other apps for advertising purposes, often because the app they're pretending to be is worth more to an advertiser than the app would be by itself," states HUMAN security. 
 
According to the sources, the researchers have informed Google and Apple about these fraudulent apps, following which the apps are being removed from Google Play and App Store. Users are recommended to simply remove the apps if they have downloaded one of the suspected adware by any chance. 
  
Furthermore, with regards to the increasing frauds, the Satori researchers have suggested certain precautionary measures that could be taken into account for the user to not fall for the adware frauds. It includes examining their apps before downloading them, looking out for apps that you do not remember downloading, and avoiding third-party app stores that could harbor malicious applications.

 US Reclaimed $15 Million From an Ad Fraud Operation

 

The US government has recovered more than $15 million in earnings from the 3ve digital advertising fraud enterprise, which cost firms more than $29 million in unviewed ads. 

Sergey Ovsyannikov, Yevgeniy Timchenko, and Aleksandr Isaev, according to the Justice Department, accessed more than 1.7 million infected computers between December 2015 and October 2018, using tens of command and control (C&C) servers as the Kovter botnet, a click-fraud malware would quietly run in the background while connecting to sites to consume advertisements. 

A forfeiture order, according to the Justice Department, resulted in the transfer of $15,111,453.84 from Swiss bank accounts to the US government. The technique resulted in the falsification of billions of ad views and the spoofing of over 86,000 domains. According to the US Department of Justice, groups paid over $29 million for advertising never seen by real people. 

Ovsyannikov and Timchenko were arrested in 2018, pleaded guilty, and sentenced to jail terms in the United States. For this role in 3ve (pronounced "Eve"), Isaev and five others are accused of money laundering, wire fraud, computer intrusion, and identity theft, yet they stay free. 

The US also charged Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, and Dmitry Novikov, five Russian citizens, with running the Methbot ad fraud scheme, which is thought to have netted the fraudsters more than $7 million in illegal gains. 

"This forfeiture is the greatest international cybercrime recovery in the Eastern District of New York's history," said United States Attorney Peace in a press statement.

Google Is Supplying Private Data to Advertisers?




A big time accusation on Google is allegedly in the wind that it’s surreptitiously using secret web pages to give away data to advertisers.

Per sources and the evidence provided it’s being said that maybe Google is dealing in data without paying much attention to data protective measures.

The matter is under investigation and is a serious matter of research. Apparently the sensitive data includes race, political and health inclinations of its users.

Reportedly, the secret web pages were discovered by the chief policy officer of a web browser and they’d also found that Google had tagged them with identifying trackers.

Allegedly, using that very tracker, Google apparently feeds data to advertisers. This is possible an attempt at predicting browsing behavior.

According to sources, Google is doing all it can to cooperate with the investigations. The Google representative also said that they don’t transact with ad bidders without users’ consent.

Reportedly, Google has mentioned previously that it shall not “share encrypted cookie IDs in bid requests with buyers in its authorized buyers marketplace”.